How should businesses weather China’s impending regulation on cloud computing?

In 2020, the cloud computing market in China could be almost four times the size it was only in 2015. Karry Lai reports on how the government is stepping up its regulation of an industry where local and international companies are battling for supremacy.

The market for cloud computing is predicted to be worth $20 billion in China and account for 11% of the sales in the IT industry by 2020. In 2015, the same market was worth $5.5 billion and has been attracting foreign corporations such as Amazon and Microsoft to compete with local players Tencent and Alibaba.

However, regulations on cloud computing are unclear. To improve the regulation of the sector, the Ministry of Industry and Information Technology issued a draft circular at the end of 2016on regulating business activities in the cloud services market for public comment. This is a sign of things to come in the tightening regulation of business activities in the cloud services market.

Notable in the draft law are the minimum service requirements cloud operators will need to comply with, restrictions in technical cooperation and the rules for the participation of foreign technology companies.

Peng Fu

The legislation reflects what is happening in the market say lawyers Asialaw spoke to. “In around August 2016, Amazon renewed its cooperation with local cloud services, Beijing Sinnet Technology, which authorises the Beijing company to be the local Amazon Local Services cloud service provider, with the technological support from Amazon,” says Peng Fu, partner at Haiwen & Partners. “Microsoft also established cooperation with the local operator 21Vianet for the operation and maintenance of its cloud service and both tend to be conservative.”

“There might be a connection, when observing the rules under the new draft regulation, as it specifically regulates the “cooperation model”, as in what Amazon and Microsoft have done in their cooperation with local companies,” says Fu. “Under the draft regulation, if cloud service operators cooperate with their cooperators, they need to report this to competent authorities. Some activities are prohibited. For example, such cooperators cannot directly enter into contracts with end users, and such cloud service operators cannot provide services by solely using the brands of its cooperators, but there is uncertainty as to the details on reporting obligations and ambiguity on enforcement.”

Under the draft circular, operators of cloud computing services will need to follow licensing requirements as they are categorised under internet resource collaboration services in the 2015 telecommunications services catalogue, subjecting cloud services to licensing requirements on facilities, funding and personnel. Operators will have to have an IDC VATS permit (internet data centre value added telecom services permit).

Restrictions in technical cooperation

A cloud computing service operator needs to report any proposed cooperation with operators without a permit, in writing to the telecommunications authorities and must not sign any direct service agreements with users. Operators cannot lease, lend or transfer telecoms permits, or provide funds, sites and facilities to partners who operate cloud computing services illegally.

Rules for foreign technology companies’ participation

With the exception of qualified Hong Kong and Macau invested joint ventures, which are capped at 50% for foreign investment, foreign enterprises face challenges to obtain a permit.

“The draft regulation provides that foreign investors should apply for an ICP licence in accordance with the foreign invested telecommunications enterprises administrative regulations if such investors want to operate cloud services in China. Article 4 of the draft regulation indicates that cloud service operators must conduct cooperation subject to requirements,” says Fu.

“The challenge with China is that the technology of local companies is not good enough and while they can help to store data, they do not have the technology to process the data and knowledge to store the data,” says Cheng.

More clarity needed in regulation

The draft regulation is still ambiguous about enforcement, including penalties. “Regulation is good news in a way for foreign players because having regulation is better than no regulation,” says Fu. “At least companies can try to follow the restrictions that apply to foreign companies but they are in some ways not stricter than expected.”

“The government may suspend a licence if a company has crossed the line, or send a warning to businesses by picking a few companies that breach the regulation to impose penalties on,” says Cheng. “It would be challenging to check every single company, especially local companies that act like they are cloud computing technologies but do not have the technology. These companies may be getting subsidised by local governments that want the companies to invest in their provinces.”

“There is still an open definition as to what “key information infrastructure operator” means under China’s new cybersecurity law,” says Fu. “Under certain scenarios, cloud operators may be deemed as key information infrastructure operators and thus may be subject to the restrictions on the provision of data to offshore entities or individuals, with an exception that where such data has to be provided abroad due to business needs, a security assessment shall be conducted pursuant to relevant measures.”

In line with the cybersecurity law that was passed in November 2016 and which will take effect in June, the upcoming regulation on cloud computing is aimed at reducing risks of data breach and privacy issues, which have been areas of concern as China is transforming to a digital economy at a rapid pace. More regulations focusing on data transmission may be on the horizon. Cloud computing operators, especially foreign players, should take heed of the upcoming regulation, and be prepared to forge stronger relationships with local cloud computing operators.